Blockchain security and data analytics firm Peckshield released a mid-May tally of eight bridge-related exploits that collectively drained $328.6 million from cross-chain protocols so far this year. The figure adds to what has become the worst period on record for decentralized finance ( DeFi) while simultaneously exposing a systemic vulnerability that the industry has yet to resolve fully.

Eight major exploits that have already happened through the first half of May, per Peckshield

Cross-chain bridges work by locking tokens on one blockchain and minting equivalent assets on another, creating high-value attack surfaces where exploiters need only compromise the bridge’s verification mechanism to gain access to pooled liquidity. The structural risk became undeniable in April 2026, as crypto’s most-hacked month on record, with 30 separate incidents, a pace of nearly one attack per day.

Two of the largest attacks came in rapid succession that month. KelpDAO’s Layerzero V2 rsETH route was exploited for approximately $300 million on April 18, with an attacker extracting 116,500 rsETH from Ethereum’s OFT adapter without burning tokens on the source chain. A review by Chainalysis found that Layerzero had set a low 1-1 RPC quorum default, meaning a single poisoned node could authorize fraudulent cross-chain messages. KelpDAO subsequently migrated to Chainlink’s Cross-Chain Token standard, publicly blaming Layerzero for the infrastructure failure.

Days later, Drift Protocol suffered a $200 million-plus exploit on its Solana-based infrastructure. A CertiK analyst noted that the incidents reflected a high-stakes shift in cross-chain cybercrime strategy, with attackers growing more sophisticated in how they identify and exploit bridge verification weaknesses.

Smaller incidents have poured in the months before and even since, with IoTeX’s bridge being hit for approximately $2 million in February through a private key exploit. Subsequently, TAC Protocol lost $2.8 million in early May in what was later classified as a white hat incident after the hacker claimed a 10% bounty.

Transit Finance, a cross-chain aggregation protocol, was drained of $1.88 million on May 13 and most recently, the Verus-Ethereum bridge lost approximately $11.5 million, with the attacker’s wallet traced to a Tornado Cash seed.

Peckshield data had already shown total hack losses reaching $112.5 million in the first two months of 2026 alone before April’s surge pushed cumulative losses beyond $750 million through mid-April. With May’s incidents adding to that figure, 2026 is on course to eclipse previous records for DeFi losses.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。